Finally, a Real Return on Security Spending

The reason was simple, and it will sound familiar to CIOs and chiefsecurity officers: "[Parmalee] realized that he could never succeed inobtaining contracts from the mill owners...unless he could ensure forthem a reasonable return upon their outlay," Wormald wrote.

Today, it's data warehouses, but data is as combustible as cotton.Thousands of George Parmalees - CIOs and CSOs, not to mention securityconsultants and vendors - are eager to demonstrate inventions thatextinguish threats to information before those threats take down thecompany. But the investment conundrum remains precisely what it was120 year ago. CEOs and CFOs want quantifiable proof of an ROIROI beforethey invest. Alles zu ROI auf CIO.de

The problem, of course, is that until just recently a quantifiablereturn on security investment (ROSI) didn't exist. The best ROSIargument CIOs had was that spending might prevent a certain amount oflosses from security breaches.

But now several research groups have developed surprisingly robust andsupportable ROSI numbers. Their research is dense and somewhat raw,but security experts praise the efforts as a solid beginning toward aquantifiable ROSI.

"I was quite surprised, to be honest," says Dorothy Denning, aprofessor at Georgetown University and a widely regarded informationsecurity expert. "I have a good sense of what's good research, and allof this seems good. They are applying academic rigor."